DoorDash is delivering bad news to millions of its customers and drivers: their data may have been accessed by hackers.
In a blog post made Thursday on its website, San Francisco-based DoorDash said an "unauthorized third party" gained access to data for about 4.9 million users earlier this year.
"Earlier this month, we became aware of unusual activity involving a third-party service provider," DoorDash said. "We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users."
DoorDash did not immediately respond to an email inquiry from NBC Bay Area on Thursday afternoon.
According to the post, only users who signed up for DoorDash on or before April 5, 2018 are impacted. Anyone who signed up later than that should not be affected, DoorDash said.
DoorDash operates a popular food-delivery app, using an Uber-like model connecting drivers and cyclists with hungry customers. Car and bicycle owners can sign up to be delivery drivers, or "Dashers," and receive payment for picking food up at restaurants and bringing it to diners' doorsteps.
The DoorDash post said hackers infiltrated its system on May 4, and accessed information including customer names, emails, addresses, phone numbers, and encrypted passwords. DoorDash said the passwords could not be deciphered, but it advised customers to change their passwords just in case.
The company said hackers also accessed the last four digits of some payment cards and bank account numbers, but not full numbers or the three-digit CVV required to authorize payment. DoorDash said full account information was not exposed.
Drivers are affected, too. DoorDash said about 100,000 of its Dashers' drivers license numbers were exposed.
While the company reaches out to affected users, it has listed detailed information about the data breach in its blog post. Concerned customers and drivers can also call 855–646–4683 to learn more.